REMARKS 

In the Office Action, the Examiner rejected claims 56-62. Claims 63 and 64 are 
presently added, claims 56, 58-60, and 62 are presently amended, and claim 57 is presently 
canceled. Accordingly, claims 56 and 58-64 are presently pending. No new matter is 
included by the present amendments or new claims. The Applicant requests reconsideration 
of claims 56 and 57-62 in view of the following remarks. Additionally, the Applicant 
requests consideration of new claims 63 and 64 in view of the following remarks. 

Claim Rejections Under 35 U.S.C. § 112, Second Paragraph 

In the Office Action, the Examiner appears to have rejected claims 58 and 59 under 35 

U.S.C. § 1 12, second paragraph. Regarding claim 58, the Examiner indicated that "the 
subsequent login attempt" and "the longer time delay" did not have sufficient antecedent 
basis. Further, the Examiner suggested that claim 58 should have been dependent from claim 
57. Regarding claim 59, the Examiner suggested that the term "serializing" is used in the 
claim to mean "tracking" or "storing." The Examiner further suggested that the accepted 
meaning of "serializing" is "transmitting in sequence" or "occurring in a series." 

The Applicant presently amends claim 56 to include relevant features from claim 57. 
Accordingly, claim 56 now recites "a longer time delay" and "a subsequent login attempt." 
(Emphasis added). Claim 58 remains dependent from claim 56. In view of the present 
amendment, the Applicant believes the Examiner's concerns have been addressed and the 
rejection of claim 58 should be withdrawn. 

Regarding claim 59, the Applicant asserts that the term "serializing" does not mean 
"tracking" or "storing" as suggested by the Examiner. An exemplary embodiment of the 
present invention is directed to preventing unauthorized access to accounts. Some 
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embodiments of the present invention " serialize login attempts made without a first-class 
login cookie 300 to control the rate at which such login attempts are processed" to prevent the 
"launch [of] many attacks against an account in parallel ." Application, paragraph [0030] 
(emphasis added). In view of this disclosure in the application, the term "serialize" is 
believed to be adequately defined. Accordingly, the Applicant respectfully requests that the 
Examiner withdraw the rejection of claim 59. 

In view of the arguments set forth above, the Applicant requests that the Examiner 
withdraw the rejections of claims 58 and 59 and provide an indication of allowance. 

Claim Rejections Under 35 U.S.C. S 112, First Paragraph 

In the Office Action, the Examiner rejected claim 60 under 35 U.S.C. § 1 12, first 

paragraph. Specifically, the Examiner stated: 

Claim 60 is rejected under 35 U.S.C. § 112, first paragraph, as 
failing to comply with the written description requirement. The 
claim(s) contains subject matter which was not described in the 
specification in such a way as to reasonably convey to one skilled 
in the relevant art that the inventor(s), at the time the application 
was filed, had possession of the claimed invention. The limitation 
"responsive to the limited number being zero, associating a 
different class of login cookie with a more preferential level of 
service with the login cookie" is not supported by the specification. 
It appears that the limitation would upgrade a second-class login 
cookie to a first-class login cookie, which is the opposite of 
applicant's invention as understood by the examiner. 

Office Action, page 3. 

Regarding the written description requirement, the initial burden of proof regarding 
the sufficiency of the written description falls on the Examiner. Accordingly, the Examiner 
must present evidence or reasons why persons skilled in the art would not recognize a 
description of the claimed subject matter in the applicant's disclosure. In re Wertheim, 541 
F.2d 257, 262, 191 U.S.P.Q. 90, 96 (CCPA 1976). The Examiner is also reminded that the 



written description requirement does not require the claims to recite the same terminology 
used in the disclosure. The patentee may be his own lexicographer. Ellipse Corp. v. Ford 
Motor Co., 171 U.S.P.Q. 513 (7 lh Cir. 1971), affd. 613 F.2d 775 (7 th Cir. 1979), cert, denied, 
446 U.S. 939(1980). 

The Applicant traverses the Examiner's rejection of claim 60. The Applicant asserts 

that, in view of the specification, one of ordinary skill in the art would understand that having 

no invalid consecutive login attempts since a previous valid login would result in associating 

a different class of login cookie with a more preferential level of service with the login 

cookie. Indeed, the Applicant stresses that the subject matter set forth in claim 60 is clearly 

supported by the specification. For example, the Applicant directs the Examiner to 

paragraphs 34 and 35 of the application for support. For the convenience of the Examiner, 

paragraph 35 is set forth below: 

But each time a login attempt with a first-class login cookie 
300 is successful, the controller 120 sets the invalid-login count to 
zero. Additionally, each time a login attempt with a second-class 
login cookie 300 is successful, the controller 120 sets the invalid- 
login count to zero (and the login cookie class 310 is set to "first- 
class 11 ). An invalid login count of zero indicates that a user did not 
make any invalid login attempts with the first-class login cookie 
300 since the most recent, successful login attempt. 

Application, paragraph [0035]. 

While the Applicant traverses the Examiner's rejection of claim 60, the Applicant 
presently amends claim 60 to clarify its meaning. An exemplary embodiment of the present 
\ invention is directed to resisting unauthorized attempts to login to an account. See 

Application, paragraph [0006]. To reduce the effectiveness of certain methods of attacking 
an account (e.g., dictionary attacks), present embodiments require additional time between 
login attempts for clients with second-class login tokens. See id. However, in some 
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embodiments, if a client successfully logs into an account using a second-class login token, 
the client is provided with a first class login token. See id. Accordingly, amended claim 60 
recites, inter alia, "responsive to no invalid consecutive login attempts since a previous valid 
login, associating a different class of login cookie with a more preferential level of service 
with the login cookie." The Applicant asserts that this language is clearly supported in the 
specification. 

In view of the disclosure in the application and the present clarifying amendment to 
claim 60, the Applicant respectfully requests that the Examiner withdraw the rejection of 
claim 60. Further, the Applicant requests an indication of allowance for claim 60. 

Claim Rejections Under 35 U.S.C. S 102 

In the Office Action, the Examiner rejected claims 56-59, 61, and 62 under 35 U.S.C. 

§ 102(a) as being anticipated by Bhatti et al. (U.S. Patent No. 6,304,906) ("Bhatti reference"). 
Additionally, the Examiner rejected claims 56-59, 61, and 62 under 35 U.S.C. § 102(e) as 
being anticipated by Mosberger et al. (U.S. Patent No. 6,438,597) ("Mosberger reference"). 
The Applicant respectfully traverses these rejections. 

Specifically, with regard to the rejection of claim 57 in view of the Bhatti reference, 
the Examiner stated: 

With regard to claim 57, Bhatti et al disclose the method 
of claim 56 wherein providing a level of service to login 
attempts associated with the login cookie based on the login 
cookie class of the login cookie further comprises: 

imposing a longer time delay between an invalid login 
attempt and a subsequent login attempt for a second-class login 
cookie than for a first-class login cookie, (column 6, lines 13- 
39; "Each tier or class may have targets or expectations for 
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performance" - lower class logins would experience lower 
class service, i.e. longer time delays) 

Office Action, pages 4-5. 

With regard to the rejection of claims 56-59, 61 , and 62 in view of the Mosberger 

reference, the Examiner stated: 

Claims 56-59, 61, and 62 are rejected under 35 U.S.C. § 
102(e) as being anticipated by Mosberger et al. (U.S. Patent No. 
6,438,597) for reasons similar to those described above. 

Office Action, page 6. 

Anticipation under 35 U.S.C. § 102 can be found only if a single reference shows 
exactly what is claimed. Titanium Metals Corp. v. Banner, 778 F.2d 775, 227 U.S.P.Q. 773 
(Fed. Cir. 1985). For a prior art reference to anticipate under 35 U.S.C. § 102, every element 
of the claimed invention must be identically shown in a single reference. In re Bond, 910 
F.2d 831, 15 U.S.P.Q.2d 1566 (Fed. Cir. 1990). To maintain a proper rejection under 35 
U.S.C. § 102, a single reference must teach each and every limitation of the rejected claim. 
Atlas Powder v. E.I du Pont, 750 F.2d 1569 (Fed. Cir. 1984). Accordingly, the Applicant 
needs only point to a single element not found in the cited reference to demonstrate that the 
cited reference fails to anticipate the claimed subject matter. 

Further, if the Examiner relies on a theory of inherency, the extrinsic evidence must 
make clear that the missing descriptive matter is necessarily present in the thing described in 
the reference, and that it would be so recognized by persons of ordinary skill. In re 
Robertson, 169 F.3d 743, 49 U.S.P.Q.2d 1949 (Fed. Cir. 1999) (Emphasis Added). The mere 
fact that a certain thing may result from a given set of circumstances is not sufficient. Id. In 
relying upon the theory of inherency, the Examiner must provide a basis in fact and/or 
technical reasoning to reasonably support the determination that the allegedly inherent 
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characteristic necessarily flows from the teachings of the applied prior art. Ex parte Levy, 1 7 
U.S.P.Q.2d 1461, 1464 (Bd. Pat. App. & Inter. 1990) (emphasis in original). The Examiner, 
in presenting the inherency argument, bears the evidentiary burden and must adequately 
satisfy this burden. See id. 

Turning to the claims, claims 56 and 62 are presently amended to include features 
relating to features initially recited in dependent claim 57 and, thus, claim 57 has been 
canceled. Specifically, as amended, claims 56 and 62 each recite, inter alia, " requiring a 
longer time delay for a second-class login cookie than for a first-class login cookie between 
an invalid login attempt and allowing a subsequent login attempt." (Emphasis added). 

The Bhatti reference fails to teach each and every feature of the present claims. For 
example, the Bhatti reference merely teaches that "class-based services provide tiered 
performances to match tiered pricing" and that "[e]ach tier or class may have targets or 
expectations of performance." Bhatti et al., col. 6, lines 33-35. The Applicant asserts that 
this does not inherently teach that a longer delay is required for a second-class login cookie 
than for a first-class login cookie. 

Embodiments of the present invention are directed to reducing the effectiveness of 

certain methods of attacking an account (e.g., dictionary attacks). Accordingly, present 

embodiments are directed to " requiring " additional time between login attempts for clients 

with second-class login tokens. See Application, paragraph [0006]. This facilitates resistance 

or prevention of certain account attacks, such as dictionary attacks. The Applicant can find 

no teaching of this in the Bhatti reference. Further, the Applicant can find no support for 

what appears to be an inherency argument by the Examiner. Indeed, the portion of the Bhatti 

reference cited by the Examiner is reproduced below to emphasize this deficiency. 

Each of the access request classification systems 52-52« 
is used for one of the content sites 108-108«. For example, the 
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access request classification system 52 is for the content site 
108 and the access request classification system 52/7 is for the 
content site 108/7. The access request classification systems 
52-52« are connected to their corresponding content sites 108- 
108/? via the server application 53. Each access request 
classification system is used to classify the access requests for 
its corresponding content site such that preferential treatments 
may be provided for some of the access requests accessing that 
content site. This allows the server 50 to provide class-based 
services to its users. The class-based services server 50 allows 
multiple classes of users to share the same content site (i.e., the 
same URL address) and yet receive different treatments or 
performance. Class-based services is a mechanism for 
differentiating services given to individual classes. Thus, 
service performance can be priced based on performance or 
service agreements. A higher class with greater guarantee can 
be priced higher than a lower class that may offer less 
guarantee and m ore "best effort" services. Class-based 
services provide tiered performances to match tiered pricing. 
Each tier or class may have targets or expectations for 
performance. Each of the access request classification systems 
52-52/7 performs substantially the same function. The structure 
of each of the access request classification systems 52-52/7 is 
shown in FIG. 4, which will be described in more detail below. 

Col. 6, lines 13-39 of Bhatti et al. 

Regarding dependent claim 59, the Examiner stated that "login attempts to a computer 
system inherently occur serially, rather than in parallel." Office Action, page 5 (emphasis 
added). The Applicant respectfully traverses this assertion. First, it should be noted that the 
present claim is not limited to a single computer system. A login account may be accessed 
via multiple computer systems. For example, multiple clients may attempt to access a single 
account from multiple locations. Further, embodiments of the present invention are directed 
to preventing attacks against an account in parallel . As set forth above, embodiments of the 
present invention are directed to preventing unauthorized access to accounts. Some 
embodiments of the present invention " serialize login attempts made without a first-class 
login cookie 300 to control the rate at which such login attempts are processed" to prevent the 
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"launch [of] many attacks against an account in parallel ," Application, paragraph [0030] 
(emphasis added). 

The Applicant asserts that the Examiner has not provided sufficient support for the 
inherency arguments made in the Examiner's rejection of the subject matter set forth in 
amended claims 56 and 59. While the Applicant believes this is moot in view of the 
arguments set forth above, if the Examiner maintains a similar rejection in a future Office 
Action, the Applicant requests that the Examiner provide a basis in fact and/or technical 
reasoning to reasonably support the determination that the allegedly inherent characteristic 
necessarily flows from the teachings of the applied prior art. 

Regarding the Examiner's rejection of claims 56-59, 61, and 62 in view of the 

Mosberger reference, the Applicant respectfully asserts that the Examiner's rejections are 

vague and unexplained regarding the various claim features and, thus, the Applicant 

reminds the Examiner that: 

When a reference is complex or shows or describes inventions 
other than that claimed by the applicant, the particular part 
relied on must be designated as nearly as practicable. The 
pertinence of each reference, if not apparent, must be clearly 
explained and each rejected claim specified. 

37 C.F.R. § 1.104(c)2; see also M.P.E.P. § 707.07. 

In as much as the Examiner basically rejected claims 56-59, 61 , and 62 in view of the 
Mosberger reference for the same reasons the Examiner rejected claims 56-59, 61 and 62 in 
view of the Bhatti reference, the Applicant asserts that they are allowable for the same 
reasons set forth above. The Mosberger reference merely appears to disclose cookies that 
identify to which class a particular user is subscribed (e.g., flat fee class or pay-per use class). 
See Mosberger et al., col. 8, lines 17-18. Indeed, while the Mosberger reference appears to 
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disclose providing class-based services, it does not appear to disclose requiring a longer time 
delay for a second-class login cookie than for a first-class login cookie between an invalid 
login attempt and allowing a subsequent login attempt, as presently recited. 

For the reasons set forth above, the Applicant respectfully requests withdrawal 
of the rejections under 35 U.S.C. § 102 and a notice of allowance for independent 
claims 56 and 62 and the claims depending therefrom. 

New Claims 

As set forth above, the Applicant added new claims 63 and 64. For the 
reasons discussed in detail above and other claim features, the Applicant believes 
these claims are patentable over the cited references and in condition for allowance. 
Therefore, the Applicant requests that the Examiner allow the new claims 63 and 64. 
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Conclusion 

In view of the remarks set forth above, the Applicant respectfully requests 
allowance of claims 56 and 58-64. If the Examiner believes that a telephonic 
interview will help speed this application toward issuance, the Examiner is invited to 
contact the undersigned at the telephone number listed below. 



CORRESPONDENCE ADDRESS; 

HEWLETT-PACKARD COMPANY 
Intellectual Property Administration 
P.O. Box 272400 

Fort Collins, Colorado 80527-2400 
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